Windows Server 2008, the host with the most

IT shops are likely to use Windows Server 2008 the same way they use Windows Server 2003 now, only now they can run lots of independent virtual Windows Servers that scale in features and footprint across a broad range of options

Big services for small clients

Windows Server 2008 covers another flavor of virtualization in the form of Terminal Services. A mainstay of Windows Server, the big news in this release is its HTTPS tunnel, or Terminal Services Gateway. Edge security often blocks inbound access to the TCP ports needed by Terminal Services. The Terminal Services Gateway allows remote clients normally blocked by firewalls to access Terminal Services, without the hassle of VPN, but with full security and auditing.

Terminal Services Gateway will undoubtedly get played by competitors as an exploitable backdoor, but it's a much smarter way to control user access (internal as well as external) to network services. Terminal Services Gateway requires the application of Remote Access Policies (RAP) that define and enforce the characteristics of clients permitted access to Terminal Services, and remote services in general. A client that doesn't meet RAP's health tests and policies, such as a notebook that's plugged into your network by an internal hacker, can't get in through Terminal Services or any other means. Period.

Seriously? Absolutely. BitLocker local disk encryption can be defined as an enforced remote access policy. Users like encryption for privacy, but IT will love BitLocker. It uses a client system's Trusted Platform Module (TPM) to create a file access authentication path that users cannot bypass, even if they boot from a nonencrypted drive or overwrite the boot blocks on the local drive. If policies allow users to work with local copies of sensitive files, the TPM can ensure that files are unreadable away from the network, and they can't be copied to removable media.

More to the point, if you have a lapse in security that allows a user inside the firewall to suck in a database of customer information, when they get their client home they won't be able to read the files they've stolen. All access to Windows Server 2008 is revocable at the user, client computer, or group level. To absolutely, positively terminate employees' or contractors' network access, and access to locally stored files, the administrator need only create and distribute a new certificate. This is one of many simple ways to change the locks in Windows Server 2008.

This, too, will raise the hackles of those who don't like the idea of systems that users can't control, but they should know that BitLocker and RAP do not preclude the use of other operating systems, and they can be undone by someone with administrative privileges (another reason to extend these sparingly). Used properly, RAP, TPM, and BitLocker can obviate the necessity for client-side security agents and hardware such as USB crypto keys.

Windows Server 2008 enhances network security in other ways as well. Tunneling is implemented in several Windows network services, and can be extended to any application through socket sharing. Several applications, even applications that use different protocols, can listen on a single TCP socket. Traffic analysis routes packets to the appropriate application, and port sharing doesn't interfere with load balancing.

The potential for OS-level tunneling becomes evident when many guest OS instances are run on a single physical host. The Windows Server 2008 host acts as a gateway and load balancer. Tunneling may allow guests to share one TCP port such that one heavily monitored HTTPS socket might be the only direct access a virtual host has to the outside world. I haven't tested this to see if it's a feature in the current release, but I see this as tunneling's greatest potential use.

With or without tunneling, Terminal Services has grown from a convenience to a necessity. Remote Desktop Protocol version 6 and 6.1 are bundled with Vista, and count among the many new Windows Server 2008 features that roll out a red carpet for Vista clients. In the recent past, I have taken the position that IT shouldn't be forced into Vista. After working Vista with Windows Server 2008, especially Terminal Services, I have reversed my position. As you migrate from Windows Server 2003 to 2008, upgrade your clients as well.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Yager

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?